Create new pam parser

Hi,
I’ve a web application where a user can login with his system’s user through pam.

When a user wrongs to login I’ve this logs on auth.log:

Jul 20 15:45:21 hostname tabadmincontroller: pam_unix(login:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost= user=localuser Jul 20 15:45:25 hostname su[127219]: pam_unix(su:auth): authentication failure; logname= uid=998 euid=0 tty=/dev/pts/2 ruser=xxxyyy rhost= user=localuser Jul 20 15:45:25 hostname su[127219]: pam_ldap: error trying to bind as user "uid=localuser,ou=people,dc=mycompany,dc=com" (Invalid credentials) Jul 20 15:45:27 hostname su[127219]: FAILED su for localuser by xxxyyy Jul 20 15:45:27 hostname su[127219]: - /dev/pts/2 xxxyyy:localuser

I’ve created this new parser:

onsuccess: next_stage
debug: false
#filter: "evt.Parsed.program == 'su'"
name: mycompany/pam-more-logs
description: "Parse MORE pam logs"
pattern_syntax:
  PAM_AUTH_FAIL: 'pam_unix\(su:auth\): authentication failure; logname=%{NOTSPACE:logname} uid=%{NUMBER:uid} euid=%{NUMBER:euid} tty=%{NOTSPACE:tty} ruser=%{NOTSPACE:ruser} rhost=%{GREEDYDATA:rhost}  user=%{NOTSPACE:username}'
nodes:
  - grok:
      name: "PAM_AUTH_FAIL"
      apply_on: message
      statics:
        - meta: log_type
          value: pam_failed_auth
statics:
  - meta: service
    value: pam
  - meta: username
    expression: "evt.Parsed.username"

but when I try to explain a log row the parser doesn’t work:

sudo cscli explain --log "Jul 18 17:42:22 hostname su[67330]: pam_unix(su:auth): authentication failure; logname= uid=998 euid=0 tty=/dev/pts/0 ruser=RUSER rhost=  user=MYUSER" --type syslog
line: Jul 18 17:42:22 hostname su[67330]: pam_unix(su:auth): authentication failure; logname= uid=998 euid=0 tty=/dev/pts/0 ruser=RUSER rhost=  user=MYUSER
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	├ 🔴 crowdsecurity/apache2-logs
	|	├ 🔴 crowdsecurity/iptables-logs
	|	├ 🔴 crowdsecurity/modsecurity
	|	├ 🔴 crowdsecurity/pam-logs
	|	├ 🔴 crowdsecurity/pkexec-logs
	|	├ 🔴 crowdsecurity/postfix-logs
	|	├ 🔴 crowdsecurity/postscreen-logs
	|	├ 🔴 crowdsecurity/sshd-logs
	|	├ 🔴 mycompany/pam-more-logs
	|	└ 🔴 mycompany/sshd-more-logs
	└-------- parser failure 🔴

The same result if I try to simplify the parser and the log in this way:

onsuccess: next_stage
debug: false
#filter: "evt.Parsed.program == 'su'"
name: mycompany/pam-more-logs
description: "Parse MORE pam logs"
pattern_syntax:
  PAM_AUTH_FAIL: 'pam_unix'
nodes:
  - grok:
      name: "PAM_AUTH_FAIL"
      apply_on: message
      statics:
        - meta: log_type
          value: pam_failed_auth
statics:
  - meta: service
    value: pam
  - meta: username
    expression: "evt.Parsed.username"

sudo cscli explain --log "Jul 18 17:42:22 hostname su[67330]: pam_unix" --type syslog
line: Jul 18 17:42:22 hostname su[67330]: pam_unix
	├ s00-raw
	|	└ 🟢 crowdsecurity/syslog-logs (first_parser)
	├ s01-parse
	|	├ 🔴 crowdsecurity/apache2-logs
	|	├ 🔴 crowdsecurity/iptables-logs
	|	├ 🔴 crowdsecurity/modsecurity
	|	├ 🔴 crowdsecurity/pam-logs
	|	├ 🔴 crowdsecurity/pkexec-logs
	|	├ 🔴 crowdsecurity/postfix-logs
	|	├ 🔴 crowdsecurity/postscreen-logs
	|	├ 🔴 crowdsecurity/sshd-logs
	|	├ 🔴 mycompany/pam-more-logs
	|	└ 🔴 mycompany/sshd-more-logs
	└-------- parser failure 🔴

Does someone have any idea about the problem?

Thanks in advance.

Hello !

What I would suggest using cscli hubtest when creating your parser such as described here : Creating parsers | CrowdSec

When doing so, you can then set your parser in debug mode (debug: true) and see exactly what fails (most likely the grok pattern in your case).

If you want to avoid this, you can put your parser in debug mode and use crowdsec -dsn to “replay” the log file and see where the parsing fails

let me know!